LDAP authentication is not working

book

Article ID: 36993

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Issue: 

LDAP users are failing to login to IM, AC, and UMP.  From the loglevel 3 hub logs we see errors similar to the following:

hub: (nim_ldap_query) ldap_search_ext_s(base:=OU=Corp Users,DC=corp,DC=ad,DC=publix,DC=com, filter:=(&(objectClass=person)(|(@attr_usr_id=qtlbf)(sAMAccountName=qtlbf)))): Bad search filter

Environment:  

All currently supported hub versions from 7.6x through 7.80 at the time that this document was published.

Cause: 

The filter_user key value in the  ldap->templates->Active Directory section of the hub.cfg file had a typographical error:

filter_user = (&(objectClass=person)(|(@attr_usr_id=$loginname)(sAMAccountName=$loginname)))

The @attr_usr_id string is incorrect. This needs to be changed to $attr_usr_id when attempting to configure the hub to use specific AD attributes for LDAP authentication.

Resolution:

Make changes to the following 2 keys in the ldap->templates->Active Directory section of the hub.cfg using the hub probe's Raw Configure GUI:

filter_user = (&(objectClass=person)(|($attr_usr_id=$loginname)(sAMAccountName=$loginname)))
attr_usr_id = userPrincipalName

Note that @attr_usr_id is replaced with $attr_usr_id so that the value of your attr_usr_id key will be used in the filter that the hub will use.

Additional Information:

Alternatively, you can change just the filter_user key in the ldap->templates->Active Directory section of the hub.cfg:

filter_user = (&(objectClass=person)(|(usrPrincipalName=$loginname)(sAMAccountName=$loginname)))

In this case the value of the attr_usr_id will not be used.

Environment

Release: CNMSPP99000-7.6-Unified Infrastructure Mgmt-Server Pack-- On Prem
Component: